Toothbrush and password: keep it to yourself

Passwords are like toothbrushes, you should keep them to yourself. And discard them, and get a new one, if they have been used by others.

You should feel slightly disgusted if someone else helped themselves to your password, or forced you to share your toothbrush. Disgust is a useful feeling for security purposes, but not enough to build any policy on. Policy must be built on finding the real life requirements for passwords. Real life includes thinking about cost in money, cost in time, possibility of enforcing rules, ease of use and the culture of the user population. Never give a rule that you cannot enforce.

Policy must state requirements for password, but still be useable for real people. This includes not forcing users to change their passwords too often, since that leads to them writing down password (or cycling through a small list, if they are allowed). Users are fundamentally smart, and tend to do things that benefit them. One of the things that benefit users, is laziness, or “not spending valuable work time confirming to stupid rules”. No-one is employed to conform to security regulations, they are employed to teach, administrate, support, solve problems, treat cases and such-like activities.

Password regulations should think about stuff that users may encounter, such as being able to type in a password on a foreign keyboard (where do I find Æ on a French keyboard?), especially if they are likely to travel and use Internet cafes. Then on the other hand, we should be careful not to spend too much time thinking about unlikely situations.